Argo CD

What GitOps Means in Argo CD's Model#

GitOps in Argo CD's specific definition: the desired state of every Kubernetes resource lives in a Git repository, and a controller in the cluster continuously reconciles cluster state to match. Drift — anyone editing the cluster directly — is detected and (optionally) auto-reverted. Rollback is a Git revert. Audit is `git log`.

The model collapses a stack of tools (CI/CD platform, deploy pipeline, kubectl access management, change-control ticketing) into one substrate: Git plus a controller. The reduction in surface area is the value.

Application CRD#

Argo CD's core CRD is the Application: it points at a Git repo, path, target revision (branch, tag, commit, or chart version), destination cluster and namespace, and sync policy. The controller polls (or webhooks) the repo, renders manifests (Helm/Kustomize/Jsonnet/plain), diffs against live state, and either reports or applies the difference.

apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: ml-platform
  namespace: argocd
spec:
  project: default
  source:
    repoURL: https://github.com/example-org/ml-platform-gitops
    path: deploy/kustomize/overlays/prod
    targetRevision: main
  destination:
    server: https://kubernetes.default.svc
    namespace: ml-platform
  syncPolicy:
    automated:
      prune: true
      selfHeal: true
    syncOptions:
      - CreateNamespace=true

ApplicationSets#

For multi-tenant or multi-cluster fleets, the ApplicationSet controller generates Applications from a template plus a generator (list, cluster, Git directory, pull-request, matrix). A common pattern: one ApplicationSet generates an Application per environment per region per cluster, all from a single declarative template.

Sync Strategies#

• Manual sync — drift is detected but not corrected; humans approve syncs in the UI or CLI.
• Automated sync — Argo applies changes as soon as Git updates.
• Self-heal — Argo reverts any out-of-band change to bring the cluster back to Git.
• Prune — Argo deletes resources removed from Git.
• Sync waves and hooks — control ordering (PreSync, Sync, PostSync, SyncFail) — useful for database migrations, certificate provisioning, gated rollouts.

Argo CD vs Flux CD#

Argo CD and Flux CD are the two CNCF Graduated GitOps tools. Both are mature, both are widely deployed, both support Helm and Kustomize. The differences:

Argo Rollouts#

Argo Rollouts is a separate CRD that replaces standard Kubernetes Deployments with one supporting blue-green and canary strategies, integrated with service meshes (Istio, Linkerd) and ingress controllers for traffic shifting. It is independent of Argo CD but typically deployed alongside — Argo CD applies the Rollout CRD from Git, Argo Rollouts executes the progressive delivery.

Sovereign and Air-Gapped Patterns#

Argo CD supports air-gapped operation with a private Git mirror and an OCI registry mirror. For UK NCSC OFFICIAL workloads, the typical pattern is: GitHub Enterprise Server inside the perimeter, Argo CD watching that, OCI artefacts mirrored to a Harbor or Artifactory inside the perimeter. No external network egress required in steady state.